Creating a Secure Sockets Layer repertoire configuration entry

 

Define Secure Sockets Layer connections

Use these steps to include additional SSL configuration repertoires with the default DefaultSSLSettings repertoire.

The first step in configuring Secure Sockets Layer (SSL) is to define an SSL configuration repertoire. A repertoire contains the details necessary for building an SSL connection, such as the location of the key files, their type and the available ciphers. WebSphere Application Server provides a default repertoire called DefaultSSLSettings. To view this page in the administrative console, click Security > SSL to see the list of SSL repertoire settings.

About this task

The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web and enterprise beans containers. If an SSL configuration alias is referenced elsewhere, but the alias is deleted from the SSL Configuration Repertoires panel, the SSL connection fails if the deleted alias is accessed.

With the SSL configuration repertoire, administrators can define SSL settings to use for making Hypertext Transfer Protocol with SSL (HTTPS), Internet InterORB Protocol with SSL (IIOPS) or Lightweight Directory Access Protocol with SSL (LDAPS) connections. You can pick one of the SSL settings defined here from any location within the administrative console, which supports SSL connections. This selection simplifies the SSL configuration process because you can reuse many of these SSL configurations by specifying the alias in multiple places.

 

Procedure

  1. From the SSL Configuration Repertoire window, click New.

  2. Enter the information needed to access the key file.

    1. Type the name of the key file, which must include the fully qualified path to the key file, in the Key File Name field.

    2. Type the password needed to access the key file in the Key File Password field.

    3. Select the format of the key file from the Key File Format menu.

  3. Enter the information needed to access the trust file.

    1. Type the name of the trust file, which must include the fully qualified path to the trust file, in the Trust File Name field.

    2. Type the password needed to access the trust file in the Trust File Password field.

    3. Select the format of the trust file from the Trust File Format menu.

  4. Select the Client Authentication option if this configuration supports client authentication. This selection only affects HTTP and LDAP requests.

  5. Select the appropriate security level from the Security Level menu. Valid values are low, medium, and high. Low specifies digital signing ciphers only (no encryption), medium specifies 40-bit ciphers only (including digital signing), high specifies 128-bit ciphers only (including digital signing).

    If you are using a Federal Information Processing Standards (FIPS)-supported Java Secure Socket Extension (JSSE), select High from the Security Level menu.

  6. Select a cipher suite from the Cipher Suites menu. Manually add the cipher suite if the preset security level does not define the required cipher.

  7. Select the Cryptographic Token option if hardware or software cryptographic support is available.

    For details regarding cryptographic support, see Configure_to_use_cryptographic_tokens.html.

  8. Indicate which JSSE provider you are using by either selecting IBMJSSE, IBMJSSE2 (recommended) or IBMJSSEFIPS from the menu, or by typing the name of the provider. WebSphere Application Server includes the IBMJSSE, IBMJSSE2 and IBMJSSEFIPS JSSE providers. See Configuring Federal Information Processing Standard Java Secure Socket Extension files for more information.

    Important: When you use an IBM FIPS-approved JSSE, WebSphere Application Server automatically selects IBMJSSE2 as your provider.

    If you are not using the predefined providers, a custom provider might require additional properties to be configured, which are determined by the provider. If so, click Apply, then Custom Properties > New in the Additional Properties section. After the custom provider is configured, return to the SSL Configuration Repertoires window and continue with these instructions.

  9. Select an SSL or TLS protocol version.

    If you are using an IBM FIPS-approved JSSE, WebSphere Application Server automatically selects the TLS protocol. If you use a custom FIPS-approved JSSE, select the TLS protocol.

  10. Click Apply to apply the changes.

  11. If no errors occur, save the changes to the master configuration and restart the WebSphere Application Server.

    For more information on the FIPS certification process and to check the status of the IBM submission, see the Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List Web site. For more information on FIPS 140-2 cryptographic services, refer to Configuring Federal Information Processing Standard Java Secure Socket Extension files.

 

Results

You included additional SSL configuration repertoires with the default DefaultSSLSettings repertoire.

Example

The appropriate repertoire is referenced during the configuration of a service that sends and receives requests encrypted using SSL, such as the Web and enterprise bean containers, and Lightweight Directory Access Protocol (LDAP) servers.

 

What to do next

For the changes to take effect, restart the server after saving the configuration.


 

Sub-topics


Secure Sockets Layer configuration repertoire settings

Repertoire settings

Secure Sockets Layer settings for custom properties

Changing the default Secure Sockets Layer repertoire key files

 

Related concepts


Secure Sockets Layer

 

Related tasks


Managing digital certificates

Configuring Federal Information Processing Standard Java Secure Socket Extension files

Configuring Secure Sockets Layer (SSL)

Related information

Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List